This March 1, 2017, file photo shows an exterior view of Uber's headquarters in San Francisco. (AP Photo/Eric Risberg, File)

(Newser)
–
Uber last month revealed a major 2016 hack that exposed information for 57 million customers and drivers, as well as the fact that it paid out $100,000 to the attackers to scrub the information and keep the breach secret. Now, sources tell Reuters it was actually one hacker who took home the $100,000, and he was a Florida man barely out of his teens. The "extremely unusual" payment to the unnamed 20-year-old hacker said to be "living with his mom" was made through what's known as Uber's "bug bounty" service—a program often used by big tech companies, per Engadget—hosted by a firm called HackerOne, which compensates hackers for finding issues in software. The three sources who spoke to Reuters say they're not sure who gave the OK to pay off the hacker and cover up the breach, though they note then-CEO Travis Kalanick was aware of both moves.

Katie Moussouris, an ex-Hacker One exec, says such a payout would be an "all-time record," as such bug-bounty payments usually fall between $5,000 and $10,000. Also making this case unusual: Uber paid someone who had stolen information and didn't immediately report the breach to regulators. "The creation of a bug bounty program doesn't allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don't apply to them," Moussouris notes. The sources say Uber had the hacker sign an NDA and examined his machine to make sure all stolen data had been wiped. One source adds Uber doesn't want to see him prosecuted because it doesn't think he poses any further threat, noting he was simply "living with his mom in a small home trying to help pay the bills." One source says a second person, also unnamed, helped the hacker.

Uber needs to be fined by the gov first for hiding,then paying off and finally for having such shoddy security that a pre-adolesent was able to hack it. It is BS that big companies don't keep their data secure and just say "oh well" once our personal data is hacked. They need to be held accountable and prosecuted for not being able to protect those they are making money from.

Winston_Smith

Dec 7, 2017 11:20 AM CST

Lots of software's biggest names started out as teenage hackers. Bill Gates was forced to stay away from computers for a year after he hacked into a major corporation's computer. Steve Wozniak got his start building devices to get free calls from pay telephones.

rhinojake

Dec 7, 2017 10:37 AM CST

Must have been one of our very own Newser Losers.......... You know who you are.... ;-)